Is there a clear reference that states at what point in a program lifecycle we are required to seek IATO, ATO?
How will this change if at all under RMF?
Is there a lifecycle chart that clearly shows when a program must seek IATO, ATO?
Will something like this be published for IT aquisition programs under RMF?
Step 1 of the RMF process is the point at which you will seek an ATO or IATO. This should occur in the pre systems acquisition phase before milestone A. Step 5 of the RMF process is the authorize phase and the system should be authorized before Milestone C. While the intent was to begin the DIACAP process earlier than what you laid out above, it was not always the case with DIACAP. The terminology related to "seeking an ATO" and getting one may be a little unclear, but the bottom line is that when the system is fielded, it must have an ATO or IATO. DoDI 5000.02 states the following:
Open full Question Details
Cybersecurity RMF steps and activities, as described in DoD Instruction 8510.01, should be initiated as early as possible and fully integrated into the DoD acquisition process including requirements management, systems engineering, and test and evaluation.